Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

Description

Talos Vulnerability Report

TALOS-2015-0012

Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

August 13, 2015

CVE Number

CVE-2015-3788

Description

An exploitable denial of service vulnerability exists in Apple Quicktime. An attacker who can control the size of a "url" atom in a mov media file can cause an undersized allocation leading to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

The atom size must be at least 8 bytes and the size of the new allocation is computed by subtracting 12 from this size. Because of the way this is calculated, the new allocation may contain 0 bytes of data.

The function QuicktimeStreaming!0x8b2e0 is responsible for processing the url atom data. A null-terminated string is expected, however a pointed to the data is passed directly to strlen() to determine the string length.

v1 = strlen(atom_data);
v2 = 0;
if ( (signed int)(v1 - 1) &lt;= 0 )
{

The problem occurs when there are either 0 bytes of data in a "url " atom or the data is not null-terminated. In both cases, the call to strlen() will read off the end of the buffer without stopping, resulting in an out-of-bounds read.

Credit

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017